Auditing Logs on a large-scale
306 views
Skip to first unread message
Luis
Aug 19, 2024, 9:46:40 AM8/19/24
to certificate-transparency
Hello there,
I want to do some research on CT logs for my bachelor thesis. Namely, I want to verify the integrity of SCTs with their corresponding entry in the logs (general existence and temporal).
My goal is to verify for a large dataset of certificates that each of the certificates is properly included.
I now have some problems that I ran into while researching and doing some coding myself.
Thanks in advance! Love the project
My goal is to verify for a large dataset of certificates that each of the certificates is properly included.
I now have some problems that I ran into while researching and doing some coding myself.
- Since the timestamp used in the leaf_hash of the entries can be in a relatively large range ((timestamp given in the SCT) to (timestamp given in the SCT + MMD)), I am thinking about how to efficiently query the logs to get the correct entry. Is there maybe already an implementation of this? So that I just have to give the implementation the certificate and the timestamp of the SCT and it will find me the exact entry?
- If there is no known implementation so far: I was thinking about doing a binary search on the rough timestamp - given by the SCT - in the CT log, so that I have a starting point. From there, I try to do a linear search to find the entry that contains the certificate I am looking for. Is this feasible, or is there a smarter way to do this?
- As an alternative, is there any monitor, that is allowing automated high-frequency access for research purposes?
Best regards.
Matthew McPherrin
Aug 19, 2024, 11:30:08 AM8/19/24
to certificate-...@googlegroups.com
If you have a certificate that you want to check is included in a log, you should use `get-proof-by-hash`
That will return the leaf_index telling you where a certificate is in the tree, along with the audit_path needed to validate the certificate is included in the tree.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/0facadd9-bd38-4af1-844a-415e54ee4ed5n%40googlegroups.com.
Filippo Valsorda
Aug 19, 2024, 11:46:02 AM8/19/24
to certificate-...@googlegroups.com
Hi Luis,
If I understand correctly, you have a certificate and an SCT, and want to get the corresponding log entry. That's what /ct/v1/get-proof-by-hash is for. (In a Static CT API log, you'd use the SCT extension, instead.)
Note that the TimestampedEntry.timestamp which is part of the leaf hash is the same timestamp as in the SCT, not the timestamp of when the leaf was merged into the log.
Cheers,
Filippo
Luis
Aug 21, 2024, 5:02:39 PM8/21/24
to certificate-transparency
Thank you for the clarification!
My code accidentally used another timezone than UTC, I did not realize, that the SCT timestamp and the TimestampedEntry.timestamp were the same.
My code accidentally used another timezone than UTC, I did not realize, that the SCT timestamp and the TimestampedEntry.timestamp were the same.
But then, how can I confirm that the certificate was included in a timely manner (before the Maximum Merge Delay)?
Is it even possible to get the time when the leaf was merged into the log after a long time?
Best regards.
Kurt Roeckx
Aug 21, 2024, 5:30:28 PM8/21/24
to 'Luis' via certificate-transparency
Hi,
You can check the first STH that included the entry for the certificate.
Kurt
You can check the first STH that included the entry for the certificate.
Kurt
Reply all
Reply to author
Forward
0 new messages